[Samba] Problem with Samba-3.0.25rc3 & idmap_ldap (winbind dumps
core)
Don Meyer
dlmeyer at uiuc.edu
Tue May 1 07:49:10 GMT 2007
In an effort to improve my lot, I'm trying to move to a ldap backend
for idmap synchronization when I deploy the new 3.0.25 version on my
systems. In preparation for this, I've set up some test systems --
where I'm having some problems that I think others may be
encountering (according to a few comments I've seen recently).
In a nutshell, I believe I have set up my ldap services correctly --
largely following the ldap portion of the guide
at:
http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP
At least according to phpldapadmin, I have a functioning master ldap
service on one RHEL4 system and a replicating slave service
established on a second RHEL4 system. I then install the
samba-3.0.25rc3-5 packages, and alter my standard configuration
according to the samba portion of the guide, taking into account the
apparent changes needed due to the man pages for smb.conf &
idmap_ldap. (Relevant configs attached below...)
One step that I'm having a bit of a problem with, and I think it is
contributing to the remainder of the problem below, is the entry of
the credentials for the access to the ldap services. Several guides
state that the proper method to store the credentials for your ldap
access dn is to use smbpasswd:
smbpasswd -w {password}
However, this command complains:
ERROR: 'ldap admin dn' not defined! Please check your smb.conf
Only when you put the following line in smb.conf does smbpasswd allow
you to store the password in secrets.tdb.
At this point, I think that everything is ready. After firing up the
upgraded smb & winbind services, I run through my function checklist:
wbinfo -tm OK
wbinfo -D ACES OK
wbinfo -D EXTENSION OK
wbinfo -u OK
All this is looking good, but I don't see any activity on either ldap
service. I don't really expect much, however, until I get to user
enumeration -- the 'getent passwd' stage.
When I issue my first 'getent passwd {user}' command, winbindd dumps
core with the following log excerpt from log.winbindd-idmap:
------------------------------------------
[2007/04/30 12:44:04, 1] nsswitch/idmap.c:idmap_init(343)
Initializing idmap domains
[2007/04/30 12:44:04, 0] nsswitch/idmap_ldap.c:get_credentials(86)
get_credentials: Unable to fetch auth credentials for
cn=sambaadmin,dc=aces-web in ACES
[2007/04/30 12:44:04, 1] nsswitch/idmap_ldap.c:idmap_ldap_db_init(805)
idmap_ldap_db_init: Failed to get connection credentials
(NT_STATUS_ACCESS_DENIED)
[2007/04/30 12:44:04, 0] nsswitch/idmap.c:idmap_init(438)
ERROR: Initialization failed for backend ldap (domain ACES), deferred!
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(41)
===============================================================
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(42)
INTERNAL ERROR: Signal 11 in pid 29969 (3.0.25rc3)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(44)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(45)
===============================================================
[2007/04/30 12:44:04, 0] lib/util.c:smb_panic(1620)
PANIC (pid 29969): internal error
[2007/04/30 12:44:04, 0] lib/util.c:log_stack_trace(1724)
BACKTRACE: 20 stack frames:
#0 winbindd(log_stack_trace+0x2d) [0x23cc82]
#1 winbindd(smb_panic+0x56) [0x23cd89]
#2 winbindd [0x2294e5]
#3 /lib/tls/libc.so.6 [0x414898]
#4 winbindd [0x35ca8c]
#5 winbindd(idmap_init+0xecc) [0x357078]
#6 winbindd(idmap_sids_to_unixids+0x29) [0x358a78]
#7 winbindd(idmap_sid_to_uid+0x68) [0x35bda6]
#8 winbindd(winbindd_dual_sid2uid+0x12b) [0x1dde2b]
#9 winbindd [0x1dc15d]
#10 winbindd [0x1dceb9]
#11 winbindd(winbindd_sid2uid_async+0x7d) [0x1ddcf6]
#12 winbindd [0x1b1de5]
#13 winbindd [0x1e0f3f]
#14 winbindd [0x1dce07]
#15 winbindd [0x1dc852]
#16 winbindd [0x1af89c]
#17 winbindd(main+0x779) [0x1b0d24]
#18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x401de3]
#19 winbindd [0x1af351]
[2007/04/30 12:44:04, 0] lib/fault.c:dump_core(181)
dumping core in /var/log/samba/cores/winbindd
------------------------------------------
What I note in idmap_ldap.c is that the get_credentials function
appears to be calling idmap_fetch_secret with some combination of the
DOMAIN and 'ldap_user_dn'. However, smbpasswd appears to be fixated
on the presence of the 'ldap admin dn' directive, leading me to
believe that smbpasswd may be storing under a different key than the
retrieval function is looking for... I traced the smbpasswd code
back to param/loadparm.c, and everything keys to 'ldap_admin_dn',
with no association with any domain value.
Then I traced the secret retrieval process back to passdb/secrets.c,
where I then traced the secrets_store_generic function back out to
the 'net idmap secret' command. For others reference, to set the
ldap_user_dn password for each defined domain, and for the idmap
alloc config side, you use the following commands:
net idmap secret <DOMAIN> <secret>
net idmap secret alloc <secret>
(Note: A little pointer dropped in the man page for idmap_ldap would
have been quite helpful here...)
Both of these were successful for me, so I went directly to
restarting winbindd and retesting. Sure enough, we have another
core dump as I issue the first getent passwd {user} command.
The log excerpt from log.winbindd-idmap follows:
------------------------------------------------
[2007/05/01 02:02:47, 1] nsswitch/idmap.c:idmap_init(343)
Initializing idmap domains
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(41)
===============================================================
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(42)
INTERNAL ERROR: Signal 11 in pid 10031 (3.0.25rc3)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(44)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(45)
===============================================================
[2007/05/01 02:02:47, 0] lib/util.c:smb_panic(1620)
PANIC (pid 10031): internal error
[2007/05/01 02:02:47, 0] lib/util.c:log_stack_trace(1724)
BACKTRACE: 20 stack frames:
#0 winbindd(log_stack_trace+0x2d) [0xc9dc82]
#1 winbindd(smb_panic+0x56) [0xc9dd89]
#2 winbindd [0xc8a4e5]
#3 /lib/tls/libc.so.6 [0x99f898]
#4 winbindd [0xdbda8c]
#5 winbindd(idmap_init+0xecc) [0xdb8078]
#6 winbindd(idmap_sids_to_unixids+0x29) [0xdb9a78]
#7 winbindd(idmap_sid_to_uid+0x68) [0xdbcda6]
#8 winbindd(winbindd_dual_sid2uid+0x12b) [0xc3ee2b]
#9 winbindd [0xc3d15d]
#10 winbindd [0xc3deb9]
#11 winbindd(winbindd_sid2uid_async+0x7d) [0xc3ecf6]
#12 winbindd [0xc12de5]
#13 winbindd [0xc41f3f]
#14 winbindd [0xc3de07]
#15 winbindd [0xc3d852]
#16 winbindd [0xc1089c]
#17 winbindd(main+0x779) [0xc11d24]
#18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x98cde3]
#19 winbindd [0xc10351]
[2007/05/01 02:02:47, 0] lib/fault.c:dump_core(181)
dumping core in /var/log/samba/cores/winbindd
------------------------------------------------
I'm having trouble tracing this beyond the idmap_init function in
nsswitch/idmap.c.
If this points to a problem in samba, I hope this helps. On the
other hand, if this is a problem in my setup, any pointers in the
direction of fixing it would be greatly appreciated.
-D
Config details:
smb.conf: (output from testparm)
-----------------------------------
[global]
workgroup = ACES
realm = COLLEGE.ACESNET.UIUC.EDU
netbios name = ACES-BETA-MAINT
server string = %L (Samba v%v)
security = ADS
obey pam restrictions = Yes
password server = college.acesnet.uiuc.edu
username map = /etc/samba/smbusers
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/%m.log
max log size = 0
name resolve order = host lmhosts wins bcast
deadtime = 15
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
wins server = 128.174.5.30, 128.174.5.31
# the following line was added to satisfy smbpasswd...
ldap admin dn = cn=sambaadmin,dc=aces-web
idmap domains = ALLDOMAINS
idmap alloc backend = ldap
idmap uid = 10000-100000000
idmap gid = 10000-100000000
template shell = /bin/bash
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap alloc config:range = 10000-100000000
idmap alloc config:ldap_url = ldap://ldap-master.aces-web:389/
idmap alloc config:ldap_user_dn = cn=sambaadmin,dc=aces-web
idmap alloc config:ldap_base_dn = ou=idmap,dc=aces-web
idmap config ALLDOMAINS:range = 10000-100000000
idmap config ALLDOMAINS:ldap_url = ldap://localhost:389/
idmap config ALLDOMAINS:ldap_user_dn = cn=sambaadmin,dc=aces-web
idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=aces-web
idmap config ALLDOMAINS:backend = ldap
idmap config ALLDOMAINS:default = yes
create mask = 0664
directory mask = 02775
inherit permissions = Yes
inherit acls = Yes
case sensitive = No
-----------------------------------
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba
mailing list